No high-cost cyberattacks on smart phones have been identified so far, but security researchers have highlighted a number of vulnerabilities and smaller-scale assaults that underscore the dangers that mobile users are beginning to face.

"The tipping point is already behind us," said Jan Volzke, director of product management for mobile applications at McAfee Inc.

Late last month, a security professional in the United Kingdom discovered a method through which malicious websites could grab the contents of any file stored on an Android device's memory card.

This fall, Eric Monti of Trustwave took an iPhone jailbreak application, which allows users to install any program on their phone, and made a "weaponized" version that can crack in to a phone when the user clicks on a link online.

Calls activated

His colleagues, Nicholas Percoco and Christian Papathanasiou, developed a root kit for Android devices, which can break in to the phone and conceal itself within the operating system.

It's activated when a specific phone number calls the handset, connecting to the attacker's computer and providing access to texts, the address book, the phone's location and more. It can also be used to force the handset to make outbound calls that the user won't see, which could be used to dial up expensive sex lines.

The malware could be installed either through vulnerabilities identified by others, or by pretending to be a legitimate app. Google doesn't review the software in its Android Market, instead relying on users to flag questionable apps. Some have warned that this openness could be exploited by cyber-criminals to deliver infected software that won't be noticed until it's too late.

A study of the Android Market by SMobile Systems of Columbus, Ohio, released in June highlighted the potential for danger, noting that 1 in 5 of the applications it surveyed sought permission to access information that an "attacker could use for malicious purposes," while 1 in 20 could call any number without the user's authority.

More than a light

Apple does review apps before allowing them in its store, but its system hasn't proved infallible either.

Earlier this year it became clear that one approved iPhone flashlight app, Handy Light, also allowed users to turn their phone into a wireless modem for other devices. It was a virtuous feature as far as users were concerned, but it clearly slipped by Apple's review undetected.

Most of these vulnerabilities were patched, or addressed, by Apple and Google soon after they were identified by the researchers. But a handful of malicious mobile applications have also appeared outside research labs, or "in the wild."

Late last year, an Android app popped up that promised to facilitate mobile banking, but actually just delivered users to the URL of their bank and may have collected log-ins and passwords, in what's known as a phishing scheme.